Back to all posts

DNN Security Alert - Rogue Host Users

Posted on May 25, 2016

Posted in category:

It is not often that I will post a security related post here, however, due to recent activity that I have witnessed I need to make an exception to the normal policy here. In early 2015 DNN Software published a blog article regarding a security exploit that was part of the core DNN code. The full article can be found on the DNN Software Blog. Many users have gone through and completed the workaround outlined in the DNN Software posting. It has been now discovered that many have not completed this step, and in addition, the actual risk is larger than initially expected and requires action by other DNN users for mitigation.

Potentially Impacted Users

Since initially posting this information it appears that the potentially impacted sites are far greater than initially expected. It appears that if you are running DNN/Evoq version 7.0.0 or later and do not have a host user named "host" your site could be impacted by the listed vulnerability. I have confirmed this from DNN Software as well as from assisting customers with issues that have arisen in the past 24 hours. The listed steps from the above posting are also no longer good enough to resolve the issues, so I've added additional information below on how to resolve.

Mitigation Steps

Regardless if your site has been impacted or not, it is recommended that you perform the following actions to ensure that your site remains secure.

  • Delete /Install/InstallWizard.aspx
  • Delete /Install/
  • Delete /Install/UpgradeWizard.aspx
  • Delete /Install/UpgradeWizard.aspx.cs

This will ensure that the initial vector used to gain access is closed. This applies to ALL DNN 7.0.0 and later users.

What to Do If You Were Exploited

If you are on a vulnerable version, the first step is to review your SuperUser account list. This can be found under "Host" -> "SuperUser Accounts." If you have an account that you do not recognize that was recently created you will want to have a deeper review of your site for potential content issues. If you do not find any new accounts that you cannot identify you should be ok.


I hate addressing these issues here, but I hope that you ALL will take this information seriously and check your sites.